Manufacturing and Cybersecurity: Know the Essentials
It’s no secret that the security climate on the internet is becoming more dangerous by the day. This is especially true for business professionals in the manufacturing space, where cyber attacks are only becoming more frequent and more costly with each passing year.
According to a study conducted by the Ponemon Institute, 70 percent of all organizations said that their security risk increased significantly in 2017 alone. About 230,000 new malware samples are discovered on a daily basis and that number is expected to increase significantly over time. In addition to this, the average consolidated cost of a single data breach incident rose to $3.86 million last year, a massive increase of about 6 percent from the year before.
In 2019, smartphones or tablets won’t be the only worry — it will be the countless devices that collectively make up the internet of things. Connected devices all creating and sharing an enormous amount of data at all times, will become one of the biggest targets for malware attacks according to security researchers, which means that the situation is about to worsen for the industries that depend on them.
Industries like the manufacturing sector.
Over the past few years alone, attacks against manufacturing organizations in particular have been steadily increasing in a way that is becoming more and more difficult to ignore. According to a recent survey by the Alert Logic cybersecurity firm, about half of all manufacturers say that they’ve suffered from some type of cyber incident, whereas 24 percent of them indicated they were luckily in a position that their existing cybersecurity processes prevented any type of appreciable impact. Unfortunately, an equal number had indicated that they sustained significant “financial or business losses” due to a breach. All told, roughly 400 manufacturers were attacked every day during 2016, amounting to about $3 billion in combined losses.
So why is the situation so grim and what needs to be done about it? The answer to these questions and ones just like them require manufacturers to keep a few key things in mind.
Part of the reason why manufacturers in particular make such an attractive target for hackers has to do with the value of the information available to steal during a successful attack. If a hacker focuses their attention on stealing credit card numbers from private citizens, they may be able to get through a few hundred dollars in fraudulent charges before the card is shut down by the associated financial institution. This is a large part of the reason why, in the United States, the estimated per card price for this type of stolen information comes in at just $30. But if a major manufacturer is infiltrated and hackers come away with sensitive client information or valuable intellectual property, there’s potentially no limit to the amount of damage they can cause and money that they can make.
To that point, the primary reason manufacturers are particularly susceptible to large-scale cyber attacks is because what they’re usually manufacturing is controlled unclassified information, or CUI.
The items that fall into this category often include some of the less than glamorous aspects of defense contracting, but that doesn’t make them any less important. These are things like the components that go into military technologies and devices like cameras and radios, or things like the labels that illustrate the panels on a console. Many manufacturers operating in this space also work on things like the engines that would later be part of a fighter jet a few years down the line, thus making them a particularly attractive target for attackers — notably nation-state actors.
These are all valuable technologies that hackers — regardless of whether or not they’re government sponsored — are looking at to fulfill their own agendas. What so many fail to realize is that the country’s enemies are focusing tremendous amounts of resources in cyber warfare, which has arguably become the “front lines” to the majority of today’s conflicts.
Another major reason why manufacturers are such big targets is because they’re easy to exploit. It’s not a secret that the manufacturing space is slower than most to adopt and effectively implement the newest technologies. Unfortunately, IT security in itself is oftentimes overlooked by manufacturers and perceived as an additional cost that brings little value to their daily operations and overall profits. Those industry perceptions, notably in regard to DFARS/NIST 800-171 IT compliance, seem to be contentiously up for debate.
This is true from both the manufacturer and even more surprisingly the primary government contractor requiring those controls in the first place.
Time and again, even though the regulations are seemingly clear, there are many within this space who think that the Defense Federal Acquisition Regulation Supplement only applies to organizations working with classified information, despite the regulation being singularly focused on controlled, unclassified information. This is the type of discrepancy that breeds a deeply rooted sense of malaise on an organizational level that most manufacturing businesses literally cannot afford.
Sadly, this is likely due, in part, to generational perspectives as smaller manufacturers have always had somewhat of an “adversarial relationship” with technology. These types of threats have existed for so long that people get “tired of hearing about them,” at which point they result to a hermit-like IT existence until there are no other options left. At that point, businesses have to partner with someone to bring them up-to-date and they pay more money upfront than they would have if they would just kept up with the times in the first place.
At that point, this perspective becomes the “snake eating its own tail.” Cybersecurity malaise creates an entire industry that falls behind on the latest protections and best practices, which leads to an increase in costly incidents and enormous digital transformation investments that should have been happening slowly-but-surely all along.
Unfortunately, for manufacturers to adequately address these issues, nothing less than a multi-pronged approach will suffice.
The first and most necessary prong will require a change to organizational culture and addressing these vast regulatory compliance requirements more seriously. To that point, the contracting manufacturers need to make sure they actually require their vendors to be reviewed and verified by their subcontractors. It may seem rather obvious, but compliance requirements must be enforced by regulators for them to bear any meaning, rather than being seen as an over-glorified way to pass accountability from one organization to the next.
It appeared that 2018’s compliance requirements were little more than a way for bigger companies to shift accountability away from themselves and onto their subcontractors, absolving themselves from any degree of real accountability to an industry managing enough compromisable CUI that could arguably present a national security concern.
There’s also the problem that these types of requirements need a set of IT security tools that are far too cost prohibitive for the small manufacturer to outsource and would require a part time security oriented IT professional to implement internally. That idea alone, coupled with the fact that there have been few, if any, instances of DFARS non-compliance penalties, makes it difficult to believe that government or major contractors take any of this seriously — at least today. It’s equally unclear to many observers if there’s a way for them to legitimately gain from it.
The final major way to begin addressing this problem involves creating a more collaborative work environment at many of these manufacturing organizations. One where every part of the business is connected to IT in an organic way, rather than siloed off from it.
As cybersecurity in general becomes more complicated and demanding, the older manufacturer models of “our IT department is a single employee who sits in a room by himself and never talks to anybody” is not going to work for much longer — if it ever did in the first place. This speaks to another important consideration: the ultimate return on investment of DFARS. It’s understandable to ask if a business has enough revenue to gain from it to justify the costs of becoming compliant in the first place. But when considering the amount of contracts a company will potentially miss out on by not becoming compliant, not to mention the potential liabilities the organization will be exposed to, it becomes clear almost immediately that answer is “yes.”
Manufacturing organizations of all shapes and sizes need a real thought leader in their ranks in the form of a more polished professional or IT service provider. Oftentimes this is delegated to chief financial officers or information officers, but this ends up in mixed results stemming from a gap between the breadth of the compliance requirements and the expectations that their role fulfills as the manufacturer’s IT thought leader. For example, CFOs can help generate meaningfully forecast resources and address the risks and opportunities that come part and parcel with these requirements, but often understand too little of IT and/or overly emphasize the importance of commoditizing the relationship over service quality — which can result in unanticipated, costly issues stemming from those oversights.
Unless manufacturing organizations begin to see any level of true enforcement of these types of requirements, and regulatory bodies are held to a higher degree of accountability, the cybersecurity climate in the sector is only going to become worse and national security more exposed. The consequences of those incidents — the loss of intellectual property, revenue and customer confidence and national security — are going to compound and the impact will be more severe than people think. At a certain point, this will also begin to affect U.S. national security. This is all preventable by taking the right, proactive approach now.
Chris Souza is the CEO of Technical Support International (TSI), a New England-based IT support and cybersecurity firm. He can be reached at: http://www.tsisupport.com.